Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns

From: Stefan Berger
Date: Wed Feb 02 2022 - 16:28:24 EST

Next message: Doug Anderson: "Re: [PATCH 4/5] arm64: dts: qcom: sc7280: Clean up sdc1 / sdc2 pinctrl"
Previous message: Jane Chu: "Re: [PATCH v5 2/7] dax: introduce dax device flag DAXDEV_RECOVERY"
In reply to: Stefan Berger: "Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2/2/22 13:18, Stefan Berger wrote:

On 2/2/22 11:04, Mimi Zohar wrote:

Stefan, we need to differentiate between the different types of audit
records being produced by IMA. Some of these are informational, like
the policy rules being loaded or "Time of Measure, Time of Use"
(ToMToU) records. When we discuss IMA-audit we're referring to the
file hashes being added in the audit log. These are the result of the
IMA "audit" policy rules.

How much of these informational messages should be audited in IMA
namespaces still needs to be discussed. For now, feel free to limit
the audit messages to just the file hashes.

I doubt we should let a user produce informational audit messages or audit messages related to file hashes... it's unfortunate, but it opens a door for abuse.

After some offline discussion with Mimi, the solution may be to gate setting IMA audit policy rules with CAP_SYS_ADMIN.

Stefan

Next message: Doug Anderson: "Re: [PATCH 4/5] arm64: dts: qcom: sc7280: Clean up sdc1 / sdc2 pinctrl"
Previous message: Jane Chu: "Re: [PATCH v5 2/7] dax: introduce dax device flag DAXDEV_RECOVERY"
In reply to: Stefan Berger: "Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]